Re: merge search between 2 index

aalhabbash1 · ‎09-08-2019

We need to merge results from two indexes,

I mean, I need any successfully login for users at the same time from two indexes, means I have the SAP logs and windows logs, I need any user access the SAP at 8 AM and at the same time this user access the windows logs. I need to show the count access and users from SAP index and need to show all sources, all destinations from windows index at the same time from two indexes:

for clarification you can see what I need show in the table:
users, count access from SAP index, count access from windows index, all sources from windows index, all destinations from windows index, and time.

Regarding the all sources from windows index, and all destinations from windows index, we need to view all sources and destinations which used from this users values(dest) values(src).

Note:
No need to view the source if owns it from user, we need the source if access from another user not from user which owns this device

no need to display in the table if user access from his device, If was user is aaaaa and he owns device (hqr-aaaaa), no need to display in the table if user=aaaaa and source=hqr-aaaaa?

Please support me in that.

BR;

cquinney · ‎11-18-2019

Were you ever able to resolve this issue/question?

If not, did you try appending the windows index or SAP index in a sub-search then doing a stats command for the fields you need based on the user?

merge search between 2 index

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?